Previously, set_var() had no input checking, combined with
the point that, via vars, set_var() is user facing, this
can lead to easy user errors.
Now, input is checked:
- Parameter 1 is required.
- Parameter 1 cannot contain a space.
- Less-than 3 input parameters are expected.
- Quote the expansion of the first occurence of parameter 1
in the evaluated expression.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
fn_ is preferable to f_
This is to simulate 'local', which was not POSIX, until recently.
Baseline: Windows sh.exe
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Use replaced in display_san() and display_dn().
verify_file(): Return status of SSL command.
Wrap long lines x4.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
LibreSSL Always probes the file assigned by environment variable OPENSSL_CONF.
Default can be found via command 'openssl version -d'
EasyRSA MUST provide a suitable "safe" SSL config file to LibreSSL.
Therefore, all SSL calls made by EasyRSA SHOULD go via easyrsa_openssl(),
which can be forced to ALWAYS build a "safe" SSL config file.
By always building a "safe" SSL config file, EasyRSA can always configure
the default value for OPENSSL_CONF.
This patch changes easyrsa_openssl(), to force generation of a safe SSL
config on EVERY use and set OPENSSL_CONF to the same.
Calls to easyrsa_openssl() ALWAYS generate a safe SSL config file, however,
that config file is only called via SSL option '-config' when the command
requires an SSL config file. (As by original design)
The environment variable OPENSSL_CONF always points to the EasyRSA "safe" SSL
config file, although the SSL command may not support the '-config' option.
The fundemental changes made here are, easyrsa_openssl():
- ALWAYS creates a "safe" SSL config file, although it may not be required.
- ALWAYS assigns SSL env-var OPENSSL_CONF to the above "safe" SSL config file.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The code being removed was used to always build a safe SSL config file
during 'init-pki' and before running most other commands. The reason
for this code was because LibreSSL throws an error for missing config
file when generating random numbers.
The first part of the change here is to redirect LibreSSL error-out to
'/dev/null', when generating random numbers, and only capture the random
number that is generated.
The second part is to remove all the code that built a safe SSL config
file prior to running all commands, so that a safe SSL config was always
present in the PKI. This is no longer required.
The third part is to improve and document command 'make-safe-ssl'.
The final result is that 'easyrsa_openssl()' is used as required, to
build a safe SSL config file on demand, as was the original design.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Squashed commit of the following:
commit 4f142baa04227963f291948dcbe2cb08e6ac6cd1
Merge: 0ee7a6d bcc71d6
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Mon Nov 21 20:23:22 2022 +0000
Merge branch 'doc-set-pass' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-doc-set-pass
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit bcc71d6c7e0d7bfe1d628cadc13689eb32fd4c8d
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Mon Nov 21 15:14:27 2022 +0000
Minor improvements to help for cmd:'set-pass' and opt:'--no-pass'
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Also, replace $die_error_exit with $confirm_aborted:
Make die() the default exit on error.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Squashed commit of the following:
commit 81937721412478c0f4b7d32b6a55d18099608d88
Merge: 43d7648 345e6cc
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sun Nov 20 13:37:05 2022 +0000
Merge branch 'improve-escape_hazard' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-improve-escape_hazard
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 345e6cc5540d411e32c3cc7ced3017742188d144
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sun Nov 20 13:07:37 2022 +0000
Minor refactor: escape_hazard()
Remove development code. Improve text.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Squashed commit of the following:
commit 3a5e7539db93b88a9db8b2fb9fc6520870f337ac
Merge: 1a46e32 3d9fa5e
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sun Nov 20 13:31:57 2022 +0000
Merge branch 'path-len-zero' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-path-len-zero
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 3d9fa5e955f0ed517c63bb8c35e6fde180af8b6a
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sun Nov 20 00:30:59 2022 +0000
Option --subca-len - Allow value to be 0 (zero)
For an intermediate CA certificate, Path length of zero (0) is valid.
Therefore, allow the character '0' as a valid numeric input for EasyRSA
option --subca-len=<N>
This method allows character zero (0) ONLY, as a numeric input
for options which accept zero as a value.
Add comment: # Reset per pass flags
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Squashed commit of the following:
commit aecf6e63780d9aec8b31b61aff0704f45c9598c9
Merge: 85db316 244c059
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sun Nov 20 13:28:12 2022 +0000
Merge branch 'improve-keep-tmp' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-improve-keep-tmp
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 244c05968e76d1fa7673202e1623cb252083bc66
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Thu Nov 17 02:13:40 2022 +0000
Expand check for --keep-tmp value to an existing file of any type
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
EasyRSA version 3.1.x only.
Summary of changes:
1. Introduce EasyRSA command 'set-pass'.
Use SSL command 'pkey' to set passwords on all private key files.
SSL command 'pkey' supports all EasyRSA croptoraphy settings.
This replaces "Leacy" commands 'set-rsa-pass' and 'set-ecpass'.
(These commands and their original code are retained for compatibility)
2. Remove the use of EasyRSA variable $no_password from legacy commands.
This bug was caused by commit: 9b4bd19545ebc7faf0e281483ddb53748c40eb07
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Replace all 'set-X-pass' commands with single 'set-pass' command.
The new EasyRSA 'set-pass' command uses OpenSSL command 'pkey' to manipulate
private keys. OpenSSL 'pkey' command supports all EasyRSA cryptography.
Retain compatibility with old commands.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Squashed commit of the following:
commit 7bdc3cdfbf4ac11dc5ff6377b1b32306fc50bc66
Merge: 320a324 7fa4ec9
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Thu Nov 10 19:41:31 2022 +0000
Merge branch 'fix-random-cert-serial' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-fix-random-cert-serial
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 7fa4ec9e3155f8b54648226397ef73f9086779d1
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Thu Nov 10 19:27:37 2022 +0000
Require unique random serial number for certificate or fail
This only effects Random certificate serial numbers: EASYRSA_RAND_SN
(EASYRSA_RAND_SN is the Easy-RSA default mode)
Previously, no matter if a _unique_ random serial number was generated,
sign_req() would always use the last random number generated, as serial
number for the new certificate.
This behaviour also allowed _complete failure_ of the SSL serial number
check to pass without error.
This change allows signing a request to succeed ONLY when a unique serial
number has been generated and validated.
A failure of the SSL CA unique serial number check will NOT be ignored.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Squashed commit of the following:
commit cb68324306febcddf7ef03fe56fc1eddf06e7db7
Merge: 82483f1 2199d0c
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Wed Nov 9 21:19:41 2022 +0000
Merge branch 'f-easyrsa_random' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-f-easyrsa_random
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 2199d0c323e506df436a335375be9115a12d6b7f
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Wed Nov 9 21:05:17 2022 +0000
Minor improvements to temp-session and temp-file
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit aa15b74722632ecab14c07ba9f2158d121e55d4f
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Wed Nov 9 20:35:43 2022 +0000
New function: easyrsa-random() - Generate random hexadecimal data
Replace the various random requirements with this new function.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
